WEBVTT

00:00.000 --> 00:16.240
All right. I know they told me to stay in this little box, but I want to walk among

00:16.240 --> 00:22.560
you. How are you guys doing this morning? Are you awake? Wake? Are you? Prove it. Stand

00:22.560 --> 00:28.720
up. Up, up, up. Everybody up. Not just the heck in the box crew who weirdly listen to

00:28.720 --> 00:35.480
me. I don't understand why this happens every year. So, okay. I make you get up because

00:35.480 --> 00:40.040
I have to be up. And my God, I drank too much last night. So if I have to be up, you have

00:40.040 --> 00:44.640
to be up for just two minutes. So besides the heck in the box crew who have seen me

00:44.640 --> 00:51.280
do this to the audience before, how many of you have been in the security industry for

00:51.280 --> 00:59.000
or security industry or computing industry for five years or less? Okay. So sit down.

00:59.000 --> 01:06.120
Those five years or less. Sit down. Okay. Ten years or less. Sit down. Okay. Now we're seeing

01:06.120 --> 01:12.040
how old I am. I'm still standing. Fifteen years or less. Okay. All right. Wait, wait.

01:12.040 --> 01:18.720
We're dwindling here. So who is left standing up? Okay. Number one, these are people you

01:18.720 --> 01:27.200
need to buy drinks for because we have been through a lot. Okay. Yes. You can all sit

01:27.200 --> 01:35.400
down at this point. So thank you so much for having me again at Hack in the Box. You know,

01:35.400 --> 01:39.560
the crew here, we were talking about it, the other keynotes and I, we're talking about

01:39.560 --> 01:44.880
how much this conference, you know, takes care of you and the crew takes care of you.

01:44.880 --> 01:53.640
And today I'm actually going to talk about essentially a massive, long held social engineering

01:53.640 --> 02:01.440
hack that probably started for me about 18 years ago. My first DEF CON was DEF CON 7.

02:01.440 --> 02:07.080
So yes, you need to buy me all the drinks because I'm very old and clearly I need those

02:07.080 --> 02:15.040
drinks to live because, you know, water isn't doing it for me. But, you know, for me hacking

02:15.040 --> 02:20.640
has been a passion for quite some time and, you know, my career started so long ago in

02:20.640 --> 02:25.960
this industry that there weren't a lot of ways to make money legitimately or otherwise

02:25.960 --> 02:30.400
actually because the early internet didn't have the same dependence that the current

02:30.400 --> 02:36.120
internet has for us as a society. You know, we didn't do any banking online back when

02:36.120 --> 02:43.280
I was learning how to hack, right? We didn't do a whole lot of things that our society

02:43.280 --> 02:50.520
depended on economically, socially and politically. Let's not even go there right now. I'm so

02:50.520 --> 02:56.520
depressed in the United States. But the point was if you knew how to hack a computer back

02:56.520 --> 03:00.480
in the days that I learned how to hack a computer, there were things that you could do with it

03:00.480 --> 03:05.000
that were mostly curiosity bound. And how many of you saw Aaron's talk yesterday morning?

03:05.000 --> 03:11.560
Raise your hands. Yeah. So Aaron did this great, see this is who wakes up in the morning.

03:11.560 --> 03:20.360
You guys are hard core. But, you know, in terms of hacking and what you could do with

03:20.360 --> 03:25.920
it, Aaron did this great walk through, you know, that was inspired by Hollywood and essentially

03:25.920 --> 03:33.120
showing how life was imitating art in terms of hacking. But way back there really wasn't

03:33.120 --> 03:38.120
that much you could do commercially in order to make money if you were a hacker. Certainly

03:38.120 --> 03:45.240
the movie War Games, you know, which started the Reagan administration in the United States

03:45.240 --> 03:51.600
on this path of criminalizing hacking because they were afraid of our super powers. They

03:51.600 --> 03:58.960
were afraid of what we could do. Certainly that was a big moment in hacking history.

03:58.960 --> 04:05.720
However, it was a moment in which our activities were criminalized, not celebrated, not understood,

04:05.720 --> 04:10.240
and ways in which that we might have been able to contribute to the security of our

04:10.240 --> 04:19.000
society were overlooked in favor of fear. And I see this today in terms of legislation

04:19.000 --> 04:25.100
and regulation that is being put in place or is already in place in terms of trying

04:25.100 --> 04:31.600
to deal with our super powers, what they perceive, the normal people in the world perceive as

04:31.600 --> 04:41.800
magic of what we can do. So one of the things that I noticed during my first DEF CON, they

04:41.800 --> 04:46.720
keep telling me not to move across the space, but obviously I just, I can't stand it. I

04:46.720 --> 04:54.840
really want to be with you. So how many of you had a computer when you were a child?

04:54.840 --> 04:59.040
Right? Okay. So there's a generational issue here too as well. How many of you had an old

04:59.040 --> 05:06.000
computer that could only do command line when you were a child? Okay, there we go. So the

05:06.000 --> 05:14.480
thing about it is, is if that's how you had to learn how to use a computer and that's

05:14.480 --> 05:18.840
how you had to learn how to use the internet, there were a lot of things that you had to

05:18.840 --> 05:25.920
do manually that weren't set up for you. And so when we were learning how to do this, we

05:25.920 --> 05:31.440
essentially had to either learn very quickly how these things worked or write something

05:31.440 --> 05:38.720
ourselves that made the computer do what we wanted it to do in order to get what we wanted.

05:38.720 --> 05:43.920
A lot of us got our start in security because we had a younger brother or sister that we

05:43.920 --> 05:50.000
simply wanted to keep out of our files. So that was our first attempt at encryption.

05:50.000 --> 05:54.440
Others of us got into it because we wanted to play a game that we didn't have a license

05:54.440 --> 06:07.040
for and so learning how to use a hex editor to crack a game. But eventually the stakes

06:07.040 --> 06:14.360
became much higher for all of us as our dependence as a society grew on computing, on the internet

06:14.360 --> 06:21.200
itself and on the ability of people like the folks in this room to change the rules at

06:21.200 --> 06:27.680
any given time of what was possible with a computer, with a network and at this point

06:27.680 --> 06:33.920
in our technological growth with anything at all that might have code running on it

06:33.920 --> 06:37.600
and might be on the internet. They call it the internet of things. I feel like that's

06:37.600 --> 06:43.560
going to be a term that goes away very quickly because that is going to just define the internet

06:43.560 --> 06:51.360
just because every single thing that you could have that you want to collect data is going

06:51.360 --> 06:57.980
to be talking to every other thing. And when I look at all of the interconnected devices,

06:57.980 --> 07:03.380
our dependence on it societally, our dependence on it economically and the fact of the matter

07:03.380 --> 07:09.880
is that our society even if you want to opt out of this new interconnected world, let's

07:09.880 --> 07:14.240
say you want to drive a car with not a single microchip in it for the rest of your life,

07:14.240 --> 07:19.560
that's lovely but you will be sharing the road with vehicles that have been designed

07:19.560 --> 07:26.160
to drive themselves and so your safety and the safety of the people that you care about

07:26.160 --> 07:33.640
will be somewhat dependent on dear God the security of a vehicle that may or may not

07:33.640 --> 07:39.600
have been designed to be a computer as well. And we all know how fragile this ecosystem

07:39.600 --> 07:45.640
is especially the old folks that you need to buy drinks for. We all very much, yes see

07:45.640 --> 07:52.480
he needs a drink right now. You just help him out. But we understand the fragility of

07:52.480 --> 07:59.520
this ecosystem and quite frankly it frightens the heck out of me that not only is our society

07:59.520 --> 08:08.240
dependent on it now but there will be no aspect of society where you can opt out anymore and

08:08.240 --> 08:15.680
you cannot opt out of the internet and you can't opt out of security. So the title of

08:15.680 --> 08:20.440
this talk is actually hacking the Pentagon. How many of you heard about hack the Pentagon?

08:20.440 --> 08:25.440
Okay, the crew and my friends in the front row put your hands down and anyone left? Okay,

08:25.440 --> 08:29.840
oh one, two, two people who are not crew or my friends in the front row have heard of

08:29.840 --> 08:39.840
hack the Pentagon. So just to give a little bit of background, I obviously I was a tinkerer,

08:39.840 --> 08:45.200
hacker for a very long time in my life but at a certain point in my career I decided

08:45.200 --> 08:52.000
that I needed to do some hacking that was a little bit higher level in terms of how

08:52.000 --> 08:58.040
much I could affect the world. I certainly could find bugs and I certainly could you

08:58.040 --> 09:03.040
know make my penetration testing clients satisfied because I was able to break into their network

09:03.040 --> 09:07.480
or do all of that stuff but I realized at a certain point especially considering I was

09:07.480 --> 09:13.360
finding the same types of bugs over and over again that one it was getting boring, two

09:13.360 --> 09:19.120
we weren't getting better at security necessarily and three that I might not be able to affect

09:19.120 --> 09:24.320
change and help society as much as I wanted to if I was essentially hacking one bug at

09:24.320 --> 09:31.480
a time, one client at a time. So remember I said that my first Defcon was Defcon 7.

09:31.480 --> 09:38.000
That was in 1999 and we were all kind of rolling up and waiting for the Y2K bug. Has anyone

09:38.000 --> 09:44.840
heard of the Y2K bug? Okay, alright again besides the front row and the crew who is

09:44.840 --> 09:49.800
left in the room, okay so we were concerned about this glitch that was going to affect

09:49.800 --> 09:56.640
so many computer systems worldwide and they had a shortage of programmers who could program

09:56.640 --> 10:02.040
you know in a lot of the languages, COBOL for example, that were running a lot of this

10:02.040 --> 10:08.280
vulnerable code and we were worried that essentially the grid as it were way back then was just

10:08.280 --> 10:11.560
going to come crashing down you know we were worried airplanes were going to fall from

10:11.560 --> 10:16.480
the sky all kinds of things. Hardly any of that happened. There were a few little incidents

10:16.480 --> 10:23.200
that were related to Y2K but think about the computing and interconnectivity that was around

10:23.200 --> 10:29.480
in 1999 versus where we are today in 2016 and you begin to see this picture of that

10:29.480 --> 10:35.200
was viewed as a potential disaster on the horizon because of one bug distributed across

10:35.200 --> 10:40.080
multiple systems around the world and you see the growth of the internet and I would

10:40.080 --> 10:44.960
love to have stats off the top of my head but let's just say it's grown exponentially.

10:44.960 --> 10:51.480
Our dependence on it has grown exponentially. Today we have so many interconnected devices

10:51.480 --> 10:57.080
with often no way to update them. It's not a matter of finding someone who can write

10:57.080 --> 11:03.640
the code and correct the one bug but you know crew and front row you're allowed to raise

11:03.640 --> 11:09.440
your hands for this. Heartbleed, anybody? Yes, you've heard of this. Okay. So heartbleed

11:09.440 --> 11:15.240
is such a great example of where we are now in terms of our state of overall vulnerability

11:15.240 --> 11:22.440
and inability to deal with the issues at hand. Shared library, open source, bug in the code

11:22.440 --> 11:28.320
for more than two years. Couple of people managed to concurrently find that bug. So

11:28.320 --> 11:34.360
proving that if one person found it probably somebody else did as well, that old theory

11:34.360 --> 11:40.200
or of bug collisions but think about what the rollout looked like for dealing with that.

11:40.200 --> 11:47.560
One vulnerability coordination at best between one hacker or one finder and one vendor is

11:47.560 --> 11:55.040
rough sometimes. Imagine vulnerability coordination between hackers, vendors of an open source

11:55.040 --> 12:02.240
library and then the fact that the library itself has to be distributed across the world.

12:02.240 --> 12:09.600
That distribution and that vulnerability coordination took over 100 different companies all trying

12:09.600 --> 12:16.360
to keep a secret that ultimately leaked about a week before the designated date where everybody

12:16.360 --> 12:22.320
was supposed to go live with it. So thinking about the problems with vulnerability coordination

12:22.320 --> 12:30.240
even on a scale like that where it's just trying to deploy a fix for one shared library

12:30.240 --> 12:36.960
and you look at the world of Internet of things and how many of those things have full software

12:36.960 --> 12:43.200
development houses at their disposal, have full testing houses, have automation and testing,

12:43.200 --> 12:47.600
have any kind of security development life cycle, you pretty much come down to almost

12:47.600 --> 12:55.040
no one and then of those IoT vendors, how many of them are using open source libraries?

12:55.040 --> 13:01.000
You come up with most of them. And it's a shortcut way for a lot of these technology

13:01.000 --> 13:06.640
organizations or these non-technology organizations who are suddenly adding code to their devices

13:06.640 --> 13:12.240
and systems to ramp up very quickly and develop something that can suddenly talk to the Internet

13:12.240 --> 13:17.760
when they don't even know what they're doing and they have no way to essentially service

13:17.760 --> 13:28.320
or patch all of these devices. So let's get back to hacking the Pentagon, right? So hacking

13:28.320 --> 13:36.480
the Pentagon, one, I'm amazed that they kept that name, hack the Pentagon. That was a surprise

13:36.480 --> 13:41.600
to probably all of us who were working on this project for the last couple of years.

13:41.600 --> 13:48.000
We would call it that. But what it was was symbolically and effectively the very first

13:48.000 --> 13:54.240
time that the United States government, one, admitted that it needed some help in terms

13:54.240 --> 13:58.960
of cybersecurity, not just saying, no, no, we're secure, trust us, it's fine, all of

13:58.960 --> 14:03.440
your personal data, everyone who's ever applied for a clearance, it's fine, we'll take care

14:03.440 --> 14:08.040
of it. One, it was the first time they were openly asking for help from the hacker community.

14:08.040 --> 14:12.920
Two, it was the first time that they wanted to do anything with the hackers publicly except

14:12.920 --> 14:18.920
throw them in jail. And three, it was the first time that the United States government

14:18.920 --> 14:26.120
was willing to pay people like us for in exchange for vulnerabilities. And you might think that

14:26.120 --> 14:31.280
this was some kind of an impossible task. And it was for sure, definitely. The people

14:31.280 --> 14:37.960
inside the Pentagon who helped make this happen, who were the internal bureaucratic hackers,

14:37.960 --> 14:43.880
Lisa Wiswell, Charlie, Chris Lynch, all of those folks, and Secretary of Defense Ash

14:43.880 --> 14:50.560
Carter himself, who made the decision ultimately to go ahead and do this crazy thing and prove

14:50.560 --> 14:55.520
the fact that not only could the government work with hackers directly, but they could

14:55.520 --> 15:04.920
work with hackers and invite them to hack the actual Pentagon and survive and get better.

15:04.920 --> 15:09.440
That program lasted for about 21 days. It was a pilot program. The Department of Defense

15:09.440 --> 15:14.120
has publicly announced already that they're going to expand that program because what

15:14.120 --> 15:23.440
they found was over 1,400 hackers tried to pre-register for this program. A lot of people

15:23.440 --> 15:29.120
were thinking that this was not going to work, that a lot of my hacker friends actually are

15:29.120 --> 15:32.760
still to this day very suspicious about the whole thing, thinking that they were going

15:32.760 --> 15:38.360
to be registered in this giant government database, they were going to end up in Guantanamo.

15:38.360 --> 15:46.840
Essentially all the paranoia was there, and yet 1,400 different hackers came forward and

15:46.840 --> 15:52.840
wanted to participate in this historic program and have all their names written down and

15:52.840 --> 15:58.080
their social security numbers known and all that stuff. But the fact of the matter was

15:58.080 --> 16:03.080
the United States government wasn't just looking for its bugs, it was looking for people who

16:03.080 --> 16:08.480
were willing to help, people who would actually answer the call when they said, we actually

16:08.480 --> 16:16.400
need your help, hackers, we need your help. So of those 1,400, within I believe it was

16:16.400 --> 16:22.240
13 minutes after the doors opened on Hack the Pentagon that the first vulnerability

16:22.240 --> 16:29.600
report was received. 1,400 people and already less than 15 minutes into the program bugs

16:29.600 --> 16:38.160
started coming in. So looking back at what the Pentagon's goals were, engage the hacker

16:38.160 --> 16:44.000
community, find out about vulnerabilities in some of its websites, and figure out who is

16:44.000 --> 16:50.240
willing to come forward and trust the fact that they would actually come forward when

16:50.240 --> 16:55.360
called to Hack the Pentagon and they would actually turn over the bugs they found. All

16:55.360 --> 17:01.200
of these things had to be met in order for that program to be deemed a success and deemed

17:01.200 --> 17:07.160
a way to move forward in a new way with the hacker community rather than putting them

17:07.160 --> 17:14.120
in jail or threatening them, but in fact embracing them. And I will not forget the fact that

17:14.120 --> 17:19.920
at the end of the program, Secretary of Defense Ash Carter invited a couple of the hackers

17:19.920 --> 17:25.440
up to the Pentagon to stand with him as he talked about the results of the program. One

17:25.440 --> 17:30.080
of them was a high school kid and you know for those of us who have been doing this for

17:30.080 --> 17:38.320
a very long time, can you imagine, can you imagine as we were children that the leader

17:38.320 --> 17:42.760
of one of the most powerful or potentially the most powerful military organization that

17:42.760 --> 17:51.000
the world has ever seen is thanking you for pointing out his weaknesses. Amazing. This

17:51.000 --> 17:58.640
was incredible. So how did this even come to be? The first time I went to the Pentagon,

17:58.640 --> 18:03.800
I was still working at Microsoft. So for those of you who know how long ago I worked at Microsoft,

18:03.800 --> 18:11.000
I left in 2014. I started Microsoft's bug bounties in 2013. That process itself took

18:11.000 --> 18:18.360
me about three years to get Microsoft to agree to pay hackers money. But what had happened

18:18.360 --> 18:22.760
in order to lead up to the Pentagon and this historic moment where you know the leader

18:22.760 --> 18:31.400
of the most powerful military in the world is thanking a child for pointing out his weaknesses

18:31.400 --> 18:39.320
began when I had actually briefed some of the folks inside of a small group at MIT and

18:39.320 --> 18:47.240
Harvard on what I had done to convince Microsoft to allow hackers to hack them and get paid

18:47.240 --> 18:53.280
for it. Now does anybody remember, I think it was back in like 2008 or so, does anyone

18:53.280 --> 18:57.760
remember what Microsoft would say when they were asked about whether or not they would

18:57.760 --> 19:03.120
pay a bug bounty or pay hackers money in exchange for vulnerabilities? Anyone remember? Okay.

19:03.120 --> 19:08.200
No one remembers. That's okay. Microsoft was publicly saying that they would never pay

19:08.200 --> 19:13.400
for vulnerabilities. They said that word. They said never. You know, most mega corporations

19:13.400 --> 19:18.040
usually will hedge around what they say and they don't use absolutes if they can't, if

19:18.040 --> 19:23.960
they can avoid it. And Microsoft was using an absolute saying never. And why was that?

19:23.960 --> 19:28.600
In the Microsoft security response center, how many of you saw Sweetie's talk yesterday?

19:28.600 --> 19:34.160
Did any of you see Sweetie's talk? So Sweetie's talk was, I missed it but I saw the slides.

19:34.160 --> 19:38.480
The slides looked great. It's talking about all the mitigation enhancements to the Windows

19:38.480 --> 19:45.040
10 platform and all the ways in which exploitation techniques are becoming harder to execute

19:45.040 --> 19:53.320
even if you do find a critical vulnerability on the platform. But going back to 2008, Microsoft

19:53.320 --> 19:57.560
executives were saying they were swearing that they would never pay money. What was

19:57.560 --> 20:01.560
going on? What was causing them to believe that they would never have to do that? Well,

20:01.560 --> 20:07.960
in the Microsoft security response center, they were receiving over 200,000 non-spam

20:07.960 --> 20:16.240
email messages per year of friendly hackers who were volunteering for free to tell Microsoft

20:16.240 --> 20:20.600
about its weaknesses. So with that data, they were thinking, well, you know, all these friendly

20:20.600 --> 20:25.720
hackers who want to see the world being a safer place, these friendly hackers are willing

20:25.720 --> 20:30.240
to come forward for free. Rule number one, always silence your own phone when you're

20:30.240 --> 20:36.560
using it. Okay, there we go. Actually, the day I announced the Microsoft Bug Bounty programs,

20:36.560 --> 20:42.840
I was on stage in Bangkok and I heard a phone ring going off and it was going off and I

20:42.840 --> 20:46.120
was thinking, wow, somebody really needs to silence that thing. And then I realized it

20:46.120 --> 20:50.440
was a Windows phone ring and then I realized the only person whose phone it could possibly

20:50.440 --> 20:55.640
be was mine. So I had to go, well, okay, there was maybe one other person in the room whose

20:55.640 --> 21:01.280
phone it could possibly be, but essentially my own alarm was going off on stage the day

21:01.280 --> 21:06.480
that I was announcing the Microsoft Bug Bounty programs. And actually, Dylan and Belinda

21:06.480 --> 21:14.680
were there with me. It was an amazing day. But so how did I get Microsoft from this position

21:14.680 --> 21:20.640
where they were receiving so many bugs for free, where they were receiving tons of critical

21:20.640 --> 21:28.520
and critical vulnerabilities for free, even when there was an exploit and vulnerability

21:28.520 --> 21:34.520
market that was alive and well where all of these bugs were getting bought by other parties,

21:34.520 --> 21:37.680
whether they were defensive parties like the Zero Day Initiative. How many of you have

21:37.680 --> 21:44.240
heard of ZDI? Okay, great. So Zero Day Initiative and other kinds of vulnerability acquisition

21:44.240 --> 21:49.440
programs like it are defense oriented in that they will buy the vulnerability in order to

21:49.440 --> 21:53.040
get it fixed. They will buy it, they will give it to the vendor to fix it, they will

21:53.040 --> 21:56.320
maybe build a product or an alerting service or something around the fact that they've

21:56.320 --> 22:01.160
acquired these unknown vulnerabilities, but that's the defense market for vulnerabilities.

22:01.160 --> 22:06.400
The offense market for vulnerabilities is something entirely different. The offense

22:06.400 --> 22:11.880
market is buying vulnerabilities and exploits in order to keep them secret, in order to

22:11.880 --> 22:18.360
use them for attacks, in order to keep them live and, you know, viable for as long as

22:18.360 --> 22:24.200
possible. So they're not just buying the vulnerability, they're actually buying exclusivity. How

22:24.200 --> 22:27.960
many of you have heard what happened with hacking team? Any of you heard of hacking

22:27.960 --> 22:35.960
team? Okay, great. So hacking team was a great example of how the offense market really worked.

22:35.960 --> 22:40.960
You saw in the email dumps of hacking team that vulnerability or exploit sellers were

22:40.960 --> 22:46.920
offering a range of vulnerabilities and they were offering priceless price breaks if you

22:46.920 --> 22:54.920
bought a bundle, you know, bargain, bargain bugs, and they were also offering exclusivity

22:54.920 --> 23:00.920
of the vulnerability itself by tripling the price. They also had a payout schedule that

23:00.920 --> 23:07.120
was very nicely documented saying, you know, if you buy this bug, give me 50% of the money

23:07.120 --> 23:14.880
upfront and then pay me out 25%, 25% one month later and then the last month later and you

23:14.880 --> 23:21.080
don't have to pay if the bug essentially gets patched or something else happens to make

23:21.080 --> 23:29.840
it less viable for attack. So you begin to see the reason why some of the prices for

23:29.840 --> 23:36.200
vulnerabilities seem so high in the offense market versus the defense market is because,

23:36.200 --> 23:41.560
again, they're not paying just for the vulnerability, they're paying for the hacker's silence. They're

23:41.560 --> 23:46.920
paying for the ability to use this thing for offense for as long as possible. So let's

23:46.920 --> 23:52.320
get back to Microsoft, right? So Microsoft's getting all of these bugs for free. Sounds

23:52.320 --> 24:00.280
great. Sounds like a reason to vow never to pay hackers money. However, there was this

24:00.280 --> 24:07.720
pesky thing that I had access to which was vulnerability reporting data inside of Microsoft.

24:07.720 --> 24:11.680
And one of the things that was very important to Microsoft was that it had not just this

24:11.680 --> 24:18.400
pipeline of free bugs, but it had a pipeline of potential recruits of hackers who it might

24:18.400 --> 24:23.480
be able to hire to help make its products more secure. This direct interaction with

24:23.480 --> 24:29.120
hackers potentially for recruiting was very important to the biggest software company

24:29.120 --> 24:38.640
in the world. Famously, let's see, there was a hacking group in Poland that some of the

24:38.640 --> 24:45.200
early folks at Microsoft security years before I was ever there went to go visit because

24:45.200 --> 24:50.580
they had found some serious vulnerabilities. They went to go visit them to recruit them.

24:50.580 --> 24:55.200
Some of those folks still work at Microsoft to this day, 15 years later, trying to help

24:55.200 --> 25:03.040
make those products more secure. So the data that I had was showing that not only, yes,

25:03.040 --> 25:08.440
the bugs were still coming in, but more and more of the bugs, the critical bugs in critical

25:08.440 --> 25:14.920
software like Internet Explorer were coming in through zero day initiative or other defense

25:14.920 --> 25:21.200
market brokers. So what did that actually do? It cut off access that Microsoft had directly

25:21.200 --> 25:26.560
to the hackers. This is bad. It also did something that Microsoft didn't like, which was put

25:26.560 --> 25:32.960
a time limit on a fix. Yeah, they hate that. So there were two kind of undesirable things

25:32.960 --> 25:35.960
that were happening, even though they were getting the bugs, even though somebody else

25:35.960 --> 25:40.280
was paying for them, and even though, you know, generally speaking, at least 180 days

25:40.280 --> 25:45.840
would pass before anybody dropped the ODA in this little defensive ecosystem, they realized

25:45.840 --> 25:51.680
that they wanted to actually change those trends to regain direct access to that hacker

25:51.680 --> 26:00.200
community that's capable of finding those bugs, to be able to control, you know, essentially

26:00.200 --> 26:06.280
the timeline because of who might know about the vulnerability. And the one piece of data

26:06.280 --> 26:14.160
that I showed the IE team that ended up knocking over the last of the objections of Microsoft

26:14.160 --> 26:21.040
was data. So IE would go through a public beta period where they would release, you

26:21.040 --> 26:26.760
know, a less than stable version of the software in order for the customers to go ahead and

26:26.760 --> 26:32.840
test it in their environments. Microsoft engineers were fixing as many bugs as they could during

26:32.840 --> 26:37.280
this beta period. So what was happening with all these free, you know, free bugs that the

26:37.280 --> 26:41.360
hackers were giving Microsoft? How many of them do you think were coming in during the

26:41.360 --> 26:49.440
beta period? You want to think 40, 50 now, right? Actually very few. So there was usually

26:49.440 --> 26:53.120
very few vulnerabilities coming in. And then when would they come in? There was a giant

26:53.120 --> 27:01.840
spike after the final release of IE, the release to manufacturing. So after RTM, huge spike

27:01.840 --> 27:08.840
of incoming vulnerabilities. What did that mean? Well, the incentives at that time for

27:08.840 --> 27:13.840
these hackers to come forward with free bugs that Microsoft was offering was 10 point aerial

27:13.840 --> 27:18.920
font and their name in a bulletin. So that was the only incentive that a hacker had.

27:18.920 --> 27:24.200
Now if a bug is fixed during the beta period, chances are unless it also affected down level

27:24.200 --> 27:29.280
versions, you weren't going to get your name in a bulletin. So hackers had inadvertently

27:29.280 --> 27:35.500
been trained by Microsoft to hold on to their bugs until the worst possible time to tell

27:35.500 --> 27:40.440
Microsoft, which is after you're out of the beta period. So I showed the head of IE this

27:40.440 --> 27:47.080
big spike at the worst possible time for engineering for him. And I said, look, all we need to

27:47.080 --> 27:53.160
do is provide an incentive for these hackers who are going to help us anyway to come forward

27:53.160 --> 27:58.040
earlier in the beta period. And we can do this traffic shaping exercise and we can move

27:58.040 --> 28:02.960
this spike of vulnerabilities and give you guys the maximum amount of time to fix it.

28:02.960 --> 28:09.480
I didn't get through my little 12 slide presentation to the head of IE. I got to slide two and

28:09.480 --> 28:15.040
he literally said to me, yes, yes, yes, I'm going to make it easy for you. How much? That

28:15.040 --> 28:19.800
was literally what he said. And I sat there after two and a half years at that point,

28:19.800 --> 28:23.240
two and a half, almost three years, I sat there saying, wait a minute, did that just

28:23.240 --> 28:29.120
happen? Did he just, did he just offered a back a truck of money up to the Microsoft

28:29.120 --> 28:35.400
Security Response Center and pay for his bugs? And in fact, that is what happened. Because

28:35.400 --> 28:42.240
just because he wanted to align what he knew the hacker community was going to do anyway,

28:42.240 --> 28:46.680
which is look for bugs, he wanted to align what he knew the friendly hackers were going

28:46.680 --> 28:51.240
to do anyway, which is turn them over to Microsoft to get them fixed. He wanted to align all

28:51.240 --> 28:55.480
of these activities that were inevitable with his schedule and he was willing to pay for

28:55.480 --> 29:03.880
it. So that was that. And that finally ended Microsoft's longstanding aversion to paying

29:03.880 --> 29:10.840
hackers money directly for vulnerabilities. Finally, there was a reason to channel the

29:10.840 --> 29:15.680
hackers' eyes, channel their energy and point them at the product they wanted to find out

29:15.680 --> 29:20.120
about, which is the latest product, at the time they wanted to find out about those bugs

29:20.120 --> 29:24.040
in a most advantageous way for engineering and then ultimately for the customer, which

29:24.040 --> 29:31.960
was the earliest part of the beta period of that product. So something else that I was

29:31.960 --> 29:37.800
able to start at that time was not just an individual bug bounty that was time based

29:37.800 --> 29:46.440
deliberately and and orchestrated to move that big spike of traffic. How many of you

29:46.440 --> 29:51.400
have heard of the mitigation bypass bounty at Microsoft? It's the $100,000 bounty that's

29:51.400 --> 29:58.760
been going for the last three years. Yeah. So at the time you could go to Pwn2Own and

29:58.760 --> 30:05.000
that year you could get $100,000 was the top prize at Pwn2Own that year for coming up with

30:05.000 --> 30:13.960
an exploit that would bypass all of the mitigations of any given platform target. You get $100,000

30:13.960 --> 30:20.680
if you did the live exploits at that moment during the contest. What I was able to convince

30:20.680 --> 30:26.280
Microsoft to do was not have a contest once a year, but essentially having an ongoing

30:26.280 --> 30:32.880
six figure bounty that wasn't necessarily for a single exploit, but it was for something

30:32.880 --> 30:37.960
more valuable to Microsoft and that was for a mitigation bypass technique. How many of

30:37.960 --> 30:42.440
you have heard of return oriented programming? Okay. How many of you have heard of Jitspray?

30:42.440 --> 30:48.880
All right. Slightly fewer, but it's okay. These are all representative examples of mitigation

30:48.880 --> 30:53.320
bypass techniques. So whether you find a vulnerability and whether you're able to exploit it are

30:53.320 --> 30:58.160
two very different things, right? Especially as modern platforms have been made more and

30:58.160 --> 31:04.320
more secure. So why would an organization like Microsoft want to learn about mitigation

31:04.320 --> 31:10.160
bypass techniques as early as possible? Does anyone have a guess? That's okay. We'll guess.

31:10.160 --> 31:15.040
You know what? We'll guess at karaoke later. It'll be more fun. You know that's happening

31:15.040 --> 31:20.320
tonight. I'm just inviting you all at this moment. So the reason Microsoft needed to

31:20.320 --> 31:25.440
know about it as early as possible is because to create new mitigations to combat those

31:25.440 --> 31:30.680
exploitation techniques takes not just a patch Tuesday, it takes rearchitecture of the platform

31:30.680 --> 31:35.720
on some level. And that is something that usually takes an operating system company

31:35.720 --> 31:40.040
several iterations to change. And it's not because they're slow and they don't know how

31:40.040 --> 31:44.840
to fix it. It's because all the applications that run on top of the platform all have to

31:44.840 --> 31:51.680
have time to adapt to the new way that the operating system works. So it's essentially

31:51.680 --> 31:58.320
an issue of future thinking engineering to make exploitation harder because of what you've

31:58.320 --> 32:03.120
learned about today of how exploitation works on the platform today. These are much longer

32:03.120 --> 32:08.080
term fixes. And Microsoft essentially needed to know about these new techniques as early

32:08.080 --> 32:12.880
as possible to plan how they were going to deal with it for the next version or maybe

32:12.880 --> 32:19.640
even the version after that of the operating system. Now remember I was talking about those

32:19.640 --> 32:25.560
those different markets and how you know they often will pay for exclusivity in very high

32:25.560 --> 32:32.160
prices. How many of you think that Microsoft was competing directly on price with these

32:32.160 --> 32:38.240
markets? Does anybody really think that? Great. You don't think that or you've fallen asleep.

32:38.240 --> 32:43.920
I need to run around you a few more times. Okay. But the fact of the matter is they didn't

32:43.920 --> 32:49.320
need to compete directly on price not for those IE vulnerabilities that were critical.

32:49.320 --> 32:54.820
By the way how many vulnerabilities do you think were collected in that one month bug

32:54.820 --> 33:02.120
bounty period at the beginning of the IE 11 beta release? Anyone want to guess? Four?

33:02.120 --> 33:08.520
Can someone say four? Yeah? Okay. How much money do you think Microsoft would have had

33:08.520 --> 33:16.000
to pay to get those four maybe critical vulnerabilities? One million dollars? No I didn't hear that

33:16.000 --> 33:21.600
out there. Okay. No actually what happened was even though each of those vulnerabilities

33:21.600 --> 33:26.680
there were 18 by the way vulnerabilities that came in that were valid and what we would

33:26.680 --> 33:32.720
call bulletin class so they were important or critical vulnerabilities. 18 of them came

33:32.720 --> 33:43.280
in in one month. About $28,000 total was spent to collect those 18 vulnerabilities. Now why

33:43.280 --> 33:48.040
do you think you know it was possible for Microsoft to get these for such a low price?

33:48.040 --> 33:53.440
Well think about those other markets. When the offense market wants to buy a bug they

33:53.440 --> 33:58.940
want to be able to use it for a tax. Why would they buy a bug during the beta period of software?

33:58.940 --> 34:05.640
Why would they spend six figures on an exploitable vulnerability that may evaporate in next week's

34:05.640 --> 34:10.280
you know test a new release of the beta software? So they wouldn't. So essentially there was

34:10.280 --> 34:19.380
a gap in the market there. Now going back to the $100,000 mitigation bypass bounty. Yes

34:19.380 --> 34:24.360
there was that same price for the Pwn2Own contest that year but remember that was just

34:24.360 --> 34:29.840
offering $100,000 for working exploit and it could use one of those existing exploitation

34:29.840 --> 34:34.140
techniques like return oriented programming or jet spray or whatever it was. Didn't need

34:34.140 --> 34:39.120
to come up with a brand new technique in order to claim that $100,000 in that once a year

34:39.120 --> 34:45.800
contest. So what was Microsoft thinking you know in terms of will they have anybody who's

34:45.800 --> 34:51.200
willing to come forward with this very very valuable technique? Again think about who

34:51.200 --> 34:56.520
the adversary is and what their goals are. The adversaries goals are to buy these things

34:56.520 --> 35:01.800
that will work for as long as possible but do they need it to leverage a brand new exploitation

35:01.800 --> 35:06.560
technique in order for it to be effective or worthwhile for them? No because the existing

35:06.560 --> 35:10.980
exploitation techniques were working. Working just fine. So they didn't need to make that

35:10.980 --> 35:16.480
additional investment in trying to find these new exploitation techniques. The only party

35:16.480 --> 35:22.040
that was going to benefit from acquiring these new techniques was going to be the operating

35:22.040 --> 35:28.880
system manufacturer itself. Hence how I was able to convince Microsoft to not just buy

35:28.880 --> 35:36.780
its own bugs in terms of IE but buy these new exploitation techniques at what was until

35:36.780 --> 35:46.920
Apple's bug bounty the highest ongoing vendor bug bounty or vendor technique bounty essentially

35:46.920 --> 35:53.840
that had been an unbroken record for the last three years. It's $100,000 ongoing with no

35:53.840 --> 36:01.280
time limit and no end. Anyone want to guess what the rate of Microsoft's learning about

36:01.280 --> 36:07.840
new exploitation was? How often would they come across a new exploitation technique through

36:07.840 --> 36:15.920
other means? Either disclosure from research or from attacks in the wild. Anyone want to

36:15.920 --> 36:21.360
guess how often that would happen before that bounty? No one wants to guess. I'm going to

36:21.360 --> 36:29.840
have to run among you again. Okay. But actually it was about once every three years. And that

36:29.840 --> 36:35.160
corresponds with the release of the operating systems at that point. The new mitigations

36:35.160 --> 36:41.160
would come out. Some security researchers and or some attackers would research the ways

36:41.160 --> 36:46.000
that Microsoft had tried to harden the platform and make exploitation harder. And then you

36:46.000 --> 36:52.880
would become aware of new exploitation techniques once every three years. Does anyone want to

36:52.880 --> 37:00.320
guess at how many times the $100,000 mitigation bypass bounty has been paid out in the last

37:00.320 --> 37:08.840
three years? Well, it's not once. They paid out over half a million dollars in this ongoing

37:08.840 --> 37:15.960
bounty. Because the hackers who are capable of thinking their way around the latest mitigations

37:15.960 --> 37:23.240
often weren't doing it for the money necessarily. They might be doing it for the recognition,

37:23.240 --> 37:28.200
but they were definitely doing it for what I call the pursuit of intellectual happiness.

37:28.200 --> 37:33.760
And they were curious to see if they could defeat these mitigations. And Microsoft was

37:33.760 --> 37:39.800
inviting them to go ahead and do so and offering them a six figure amount and all the publicity

37:39.800 --> 37:47.800
they could possibly stand for being helpful in this ecosystem. So fast forward, how did

37:47.800 --> 37:54.800
this actually factor in to the Pentagon? So I had given a lecture about all of these different

37:54.800 --> 38:03.160
mechanisms that I was employing at Microsoft in order to intentionally disrupt some of

38:03.160 --> 38:08.640
the dynamics in the vulnerability and exploit market and intentionally bring in some of

38:08.640 --> 38:14.400
these bugs at certain times, some of these techniques at a faster rate, and all of these

38:14.400 --> 38:19.760
things. And I had given this lecture and somebody from the Pentagon happened to be in the room.

38:19.760 --> 38:24.600
So that was the first time I was invited to the Pentagon. So I gave the same lecture essentially

38:24.600 --> 38:32.200
to a room full of people in the Pentagon. And one of the things that I noted was, you

38:32.200 --> 38:37.640
know, as with any military organization in the modern world, there certainly were people

38:37.640 --> 38:42.560
who were in that room who were interested in what I was doing because they were annoyed

38:42.560 --> 38:46.360
because it was going to make their offensive job harder. I don't know who they were. I

38:46.360 --> 38:56.160
couldn't identify them. But the offense arm of, you know, the biggest military in the

38:56.160 --> 39:04.040
world was in that room. But the defense arm was too. And so the conversations that were

39:04.040 --> 39:10.940
started at that point became conversations I was having over the next couple of years,

39:10.940 --> 39:16.640
even as I left Microsoft, even as I went to my former startup company that does bug bounties,

39:16.640 --> 39:25.160
the conversations accelerated this past fall. And the reason they did was because something

39:25.160 --> 39:31.280
called the digital defense service was started inside the Pentagon. Now, if you go into the

39:31.280 --> 39:38.360
Pentagon and you find DDS, well, or someone leads you there, they actually have a little

39:38.360 --> 39:45.000
plaque under the door that says Rebel Alliance, Star Wars style, right? So you go in and they

39:45.000 --> 39:50.840
basically say welcome to the Rebel Alliance. They've got, you know, little BB8 logos on

39:50.840 --> 39:57.240
the sides. It's an open seating environment. And they've got hackers and programmers from

39:57.240 --> 40:04.440
some of the most interesting technology companies who are doing rotations in this place. And

40:04.440 --> 40:11.280
the whole purpose is to accelerate the Department of Defense's acquisition and utilization of

40:11.280 --> 40:18.320
modern technology and modern security techniques. So this brand new group that had been created

40:18.320 --> 40:25.480
for the purpose of accelerating, you know, or accelerating the Pentagon's adoption of

40:25.480 --> 40:35.160
technology much faster than the usual acquisition time cycles of software, that was the group

40:35.160 --> 40:42.240
that ended up spearheading on the inside the creation of Hack the Pentagon. Because essentially

40:42.240 --> 40:48.720
they were told do things better, do things faster. And I believe in my purse is the card

40:48.720 --> 40:52.960
of Lisa Wiswell that literally says under her title, and this is an officially issued

40:52.960 --> 40:59.960
card from the Pentagon, get shit done. It says it on her card. So how cool is that?

40:59.960 --> 41:07.240
They were given the license to try and experiment with technology and try and experiment with

41:07.240 --> 41:11.840
some of these proven techniques that were in the software security world for acquiring

41:11.840 --> 41:16.680
vulnerability information and interacting with the hacker community. So the time was

41:16.680 --> 41:23.400
right. They were ready to essentially launch, you know, their, launch their rebel, their

41:23.400 --> 41:31.200
rebel mission. And I remember getting the call from the Pentagon saying good news, we're

41:31.200 --> 41:35.320
going to go forward with this. And I thought this is insane. Why is this happening? Am

41:35.320 --> 41:39.360
I dreaming? I'm asleep. What time zone am I in? I have no idea. How could this even

41:39.360 --> 41:47.440
be true? That after all this, they're finally ready to allow hackers to hack them. And so

41:47.440 --> 41:52.560
how many of you actually, you know, kind of saw the unfolding of the actual Hack the Pentagon

41:52.560 --> 41:59.520
challenge, the 21 days and everything? A couple of you, yeah. So what that ended up being

41:59.520 --> 42:05.520
was it was a pilot, right, to prove the concept, to oil the gears of the people receiving the

42:05.520 --> 42:10.720
vulnerability reports and needing to fix the issues on the back end of the Pentagon. It's

42:10.720 --> 42:17.320
21 day period. And they not only got all of these vulnerabilities, I believe it was 138

42:17.320 --> 42:23.920
vulnerabilities that they paid $70,000 for total. But they also got that precious access

42:23.920 --> 42:31.800
directly to the hackers. And Ash Carter inviting that child to come stand beside him at the

42:31.800 --> 42:40.520
podium to shake his hand in the secret coin passing ceremony of how they give you challenge

42:40.520 --> 42:45.840
coins, you know, in the military is supposed to be silent in person and with a handshake.

42:45.840 --> 42:50.520
So if you watch that video, you can see Ash Carter kind of getting the coins and shaking

42:50.520 --> 42:58.100
the hands of the people who are on stage with him, including this child. At the end of it,

42:58.100 --> 43:03.520
not only did Secretary Carter announce how successful the program was, but he announced

43:03.520 --> 43:11.600
that it was going to continue and expand. This experiment that 35 years ago when the

43:11.600 --> 43:17.160
movie War Games, you know, was coming out and scaring President Reagan into making hacking

43:17.160 --> 43:27.240
a federal crime, from that moment all the way until Secretary Carter is thanking hackers

43:27.240 --> 43:36.280
and asking more of them to come forward and help seems like an impossible thing. But given

43:36.280 --> 43:43.400
the fact that a long time ago when I was hacking computers, that moment where I decided that

43:43.400 --> 43:50.900
changing the world one bug at a time wasn't going to be enough, figuring out how these

43:50.900 --> 43:59.240
systems worked, how the objections of these large organizations worked became my new hacking

43:59.240 --> 44:08.220
mission. And essentially that was what ultimately caused not just Microsoft, not just the Pentagon,

44:08.220 --> 44:14.420
but we're seeing more and more of this revolution where huge organizations and governments are

44:14.420 --> 44:20.560
realizing not just the need to work with hackers, but that it's actually quite advantageous

44:20.560 --> 44:27.680
to them to do so and that they can't possibly meet the challenges of today or tomorrow without

44:27.680 --> 44:34.240
us. So they've restarted my timer like five times. What I'm going to do at this moment

44:34.240 --> 44:41.480
is give you about, I think, maybe two minutes to ask me some questions. If you're shy, we

44:41.480 --> 44:47.520
can take the questions out into the foyer. But really, I mean, what is this about? I

44:47.520 --> 44:54.040
told you about how I was able to reverse engineer all of the objections of these large organizations

44:54.040 --> 45:00.760
and in fact exploit the mutual benefit of being able to work with hackers directly and

45:00.760 --> 45:06.040
in fact pay the money. But what does this have to do with you? How many of you are in

45:06.040 --> 45:11.840
organizations that are considering a bug bounty program? None. You will not admit it. Okay.

45:11.840 --> 45:17.880
How many of you are in organizations that are capable of receiving a bug report from

45:17.880 --> 45:26.080
the outside? God, so few. So one thing was interesting. So I mean, just for people who

45:26.080 --> 45:30.300
will watch this later, there were about five hands that went up in this room. That does

45:30.300 --> 45:36.000
not surprise me. One of the most interesting pieces of data from my former company was

45:36.000 --> 45:41.080
they looked at the Forbes top 2000 companies. These are companies that make billions of

45:41.080 --> 45:46.560
dollars in revenue. They spend millions of dollars on security. They do all their compliance

45:46.560 --> 45:57.840
stuff. 94% of the top 2000 companies, according to Forbes, 94% had no published way to receive

45:57.840 --> 46:01.520
a vulnerability report. They had no email address like secure at Microsoft. They had

46:01.520 --> 46:08.500
no web form. They had no page on their website that even said, we want to hear from you hackers.

46:08.500 --> 46:19.560
Tell us about our weaknesses. 94%. Only 6% had something at all. Of the fortune 100 companies,

46:19.560 --> 46:27.560
six of them have bug bounty programs. So what does this all mean? This means that the world

46:27.560 --> 46:32.600
is not quite ready for bug bounty programs because the world is not quite ready to even

46:32.600 --> 46:41.040
hear from you. So what I would say to that before I actually let you ask me questions

46:41.040 --> 46:48.060
is think about all of the ways in which an organization actually needs to prepare to

46:48.060 --> 46:56.560
receive the bountiful blessings from the hacker community, which are bugs. And help them understand

46:56.560 --> 47:01.000
that essentially there are only three ways to learn about your vulnerabilities. You can

47:01.000 --> 47:06.060
hire pen testers or hire really smart people to work for you and find them yourself. Somebody

47:06.060 --> 47:10.400
friendly on the outside, like a partner or a customer or a hacker, can tell you about

47:10.400 --> 47:18.560
it. Or you can be attacked. Now, of those three methods, logically, why would you ever

47:18.560 --> 47:26.320
want to cut off one of them? So with that, I would like to thank Dylan, Belinda, the

47:26.320 --> 47:31.440
Hack in the Box crew, I would like to thank all of you for waking up and standing up and

47:31.440 --> 47:38.160
entertaining me at least for the last hour or so. And I would also like to open it up

47:38.160 --> 47:45.320
for questions. But at the end of the day, I mean, we are the ones who have created this

47:45.320 --> 47:51.240
technological world that we depend on. And we're the only ones who can secure it. So

47:51.240 --> 48:06.880
thank you so much. Questions from the floor? Don't be shy. I'm not singing yet. Okay, that's

48:06.880 --> 48:17.920
not a question you can ask. But I will take requests later. So what time is karaoke? Great

48:17.920 --> 48:23.000
question. What time is karaoke? After whatever the party is tonight, there will be karaoke.

48:23.000 --> 48:27.680
No, I mean, in all seriousness, I know you may be shy and you might have, but nobody

48:27.680 --> 48:31.560
wanted to raise their hand when I asked, you know, how many of your organizations are thinking

48:31.560 --> 48:35.640
about bug manies and then how many of your organizations can even receive bugs. You probably

48:35.640 --> 48:40.600
have a lot of shy questions you want to ask me in the hallway. And that's okay. I'm pretty

48:40.600 --> 48:46.960
easy to find on the Internet. But I want to thank again the crew and all of you for waking

48:46.960 --> 48:51.120
up and being with me and indulging me this morning. And now remember, who were those

48:51.120 --> 48:56.720
folks stand up one more time the last group of people who had been doing computers security

48:56.720 --> 49:02.360
for the last 15 years or more that last group of people stand up again. Come on. I know

49:02.360 --> 49:08.960
I'm standing. All right, these folks give them a hand because and buy them drinks because

49:08.960 --> 49:15.360
my God, we've had so many reasons to drink ourselves to death in the last 15 or so years,

49:15.360 --> 49:21.960
is by them by them water as well. Again, thank you so much. Thank you very much Katie.